diff --git a/rpms/unkin-ca-certificates/2025.03.22/release b/rpms/unkin-ca-certificates/2025.03.22/release
new file mode 100644
index 0000000..d00491f
--- /dev/null
+++ b/rpms/unkin-ca-certificates/2025.03.22/release
@@ -0,0 +1 @@
+1
diff --git a/rpms/unkin-ca-certificates/Dockerfile b/rpms/unkin-ca-certificates/Dockerfile
new file mode 100644
index 0000000..d780271
--- /dev/null
+++ b/rpms/unkin-ca-certificates/Dockerfile
@@ -0,0 +1,23 @@
+# Start with the AlmaLinux 8.10 base image
+FROM git.query.consul/unkin/almalinux8-rpmbuilder:latest
+
+# Create output directory for RPMs
+RUN mkdir -p /app/dist
+
+# Set working directory
+WORKDIR /app
+
+ARG PACKAGE_RELEASE
+ENV PACKAGE_RELEASE=${PACKAGE_RELEASE}
+ARG PACKAGE_VERSION
+ENV PACKAGE_VERSION=${PACKAGE_VERSION}
+
+# Copy nfpm.yaml from the context into the container
+COPY nfpm.yaml /app/nfpm.yaml
+COPY scripts /app/scripts
+
+# Download the required files
+RUN curl -o /app/UNKIN_ROOTCA_2024.crt https://vault.query.consul:8200/v1/pki_root/ca/pem
+
+# Default command to build RPMs
+CMD nfpm pkg --config /app/nfpm.yaml --target /app/dist --packager rpm
diff --git a/rpms/unkin-ca-certificates/nfpm.yaml b/rpms/unkin-ca-certificates/nfpm.yaml
new file mode 100644
index 0000000..09b265e
--- /dev/null
+++ b/rpms/unkin-ca-certificates/nfpm.yaml
@@ -0,0 +1,35 @@
+# nfpm.yaml
+
+name: unkin-ca-certificates
+version: ${PACKAGE_VERSION}
+release: ${PACKAGE_RELEASE}
+arch: amd64
+platform: linux
+section: default
+priority: extra
+description: "ca-certificates for the unkin site"
+
+maintainer: Unkin
+homepage: https://vault.query.consul:8200
+license: Apache-2.0
+
+disable_globbing: false
+
+replaces:
+  - unkin-ca-certificates
+
+# Files to include in the package
+contents:
+  - src: /app/UNKIN_ROOTCA_2024.crt
+    dst: /etc/pki/ca-trust/source/anchors/UNKIN_ROOTCA_2024.crt
+    file_info:
+      mode: 0755
+      owner: root
+      group: root
+
+# Scripts to run during installation/removal (optional)
+scripts:
+  postinstall: ./scripts/postinstall.sh
+#   preinstall: ./scripts/preinstall.sh
+#   preremove: ./scripts/preremove.sh
+#   postremove: ./scripts/postremove.sh
diff --git a/rpms/unkin-ca-certificates/scripts/postinstall.sh b/rpms/unkin-ca-certificates/scripts/postinstall.sh
new file mode 100755
index 0000000..f6a56f3
--- /dev/null
+++ b/rpms/unkin-ca-certificates/scripts/postinstall.sh
@@ -0,0 +1,2 @@
+#!/usr/bin/env bash
+/usr/bin/update-ca-trust extract